Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

How to manage the endemic nature of open-source software

Lesson from Log4J: Security vulnerabilities are not just high-profile events like the recently identified Log4J exploit, but rather an ongoing threat on many fronts that need constant attention.

By Mike O'Malley
software-freepik1170x658 (1).jpg
February 24, 2022

The recent Log4J exploit not only forced companies to address compromised applications but to reexamine their whole approach to security and how to prepare themselves for future attacks. Log4J woke many businesses up to the importance of responding rapidly to announced open-source security patches. The severity of the threat pushed the open-source community into fast action, something that often isn’t seen with less-publicized exploits.


Unfortunately, Log4J is a symptom of a bigger problem — it’s not just a pandemic playing itself out, but rather an endemic situation much like COVID is now proving to be with its variants. If nothing else, we can be sure there will be many exploits well beyond Log4J as companies keep using open-source software.


Why is Open-Source Software Risky?

Open-source software, like Java, is used in practically every organization for good reason. It’s free and popular with developers because they don’t have to reinvent the wheel for standard processes. Instead, they can take a piece of code that already works and build on top of it to create their applications. The problem is, if the code is freely available for developers, it’s also available for attackers.


Attackers analyze open-source software for vulnerabilities that they can exploit to gain access to intellectual property or customer data of companies that have used the same code. The good news is: that the open-source community is typically pretty active and patches vulnerabilities often. The bad news is: that companies who use open-source software need to proactively patch or update the software themselves. Attackers are counting on the fact that some companies, especially small and medium-sized businesses (SMBs), don’t have the in-house resources to do this in a timely manner.


Once an attacker has discovered a vulnerability, they exploit that code to hide all sorts of bad actions or “sleeper cells” in a victim’s network and gather information until they’re ready to act. Attackers targeting a business may lie and wait for weeks (Colonial Pipeline) or months (SolarWinds) until they — based on the data they extracted — know the ransomware attack will have the greatest effect, such as in advance of an earnings call or product launch or another timely event. This way, the company is more likely to pay the ransom immediately. Sleeper cells make it easier for bad actors to initiate attacks when they have the most impact and leverage for a ransom payment.


Where Do the Problems Lie?

There are new initiatives from large tech companies looking to solve the problem of open-source software vulnerabilities. For example, Google has pledged $100 million to groups focused on improving open-source security. The Cybersecurity and Infrastructure Security Agency (CISA) is working with federal agencies to renew an initiative for the use of a software bill of materials (SBOM). This is an ingredient list for tech systems that organizations can consult when a new bug is discovered. By checking with the SBOM, they can see if vulnerable software needs to be patched. But companies also have to take responsibility for their security.


Yet, companies tend to struggle with cybersecurity hygiene because they don’t have the resources in place to maintain security protocols and regularly update software patches. Plus, they often rely on third-party software, leaving them open to both their vulnerabilities built on top of open-source vulnerabilities. The average total cost of a data breach is $4.24 million, and costs are higher for organizations that “lag in areas such as security AI and automation, zero trust, and cloud security.” SMBs are hit particularly hard because they don’t have the same security resources as enterprises, so they’re likely to pay higher costs associated with breaches.


According to a recent SBA survey, 88% of small business owners felt their business was vulnerable to a cyber-attack. And it’s not surprising that small and medium businesses feel like they’re at risk because the Fortune 500 enterprises have big IT and security staffs, and the SMBs have small or nonexistent security teams. The hackers know that and prey upon the easier targets, so SMBs are extremely vulnerable.


How to Mitigate Vulnerabilities from Open-Source Software?

To protect themselves from vulnerabilities in open-source software, all organizations have to make cybersecurity a priority in their organization and dedicate resources to it. They don’t have to hire an in-house cybersecurity team, but they have to ensure someone is responsible for handling their security. It’s important to have at least one allocated person that regularly checks software for available patches and updates for known breaches. Organizations should consider hiring penetration testers to try and hack their network to find vulnerabilities before bad actors discover them. Regular vulnerability scans can also highlight issues before an attacker exploits them, and managed service offerings can take much of the burden off the SMBs themselves.


For companies building their applications using open-source software, penetration testing and code audits have to be a part of the process before making the applications publicly available. And once they know about vulnerabilities, they need to refactor those applications to harden them and minimize the attack surface.


How Organizations Can Get the Technical Resources They Need

All companies need dedicated security personnel watching their network, but as mentioned above, it’s not always realistic to hire those resources in-house, particularly for SMBs. Recent data from Cyberseek shows there are almost 600,000 unfilled cybersecurity jobs in the U.S. To tighten cloud security vulnerabilities and protect sensitive digital assets, companies must engage outside security experts to audit their security profile, fix immediate issues, and maintain ongoing protections. There aren’t enough resources available for all companies to do it in-house.

This is why many organizations have decided to outsource their security to managed service professionals that can offer the exact cloud security protection required. Of course, there are risks if the right provider is not selected. When picking a provider, businesses should focus on outsourcers with high-quality standards that offer top skills, senior people, and have a proven track record.


Log4J may have been the most recent catalyst, but companies will continue to suffer from open-source vulnerabilities until they take an active role in their cybersecurity. Open-source software isn’t going away; in fact, it’s becoming more and more popular; however, businesses need to be able to protect themselves against open-source exploits with frequent patching and vulnerability scans. Until they have designated security staff, businesses will always remain victims to the next vulnerability open-source attackers find.

KEYWORDS: cyber security open source security risk management security vulnerabilities

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Mike O’Malley is SVP of Strategy at SenecaGlobal.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

September 29, 2025

Global Security Exchange (GSX)

 

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Revised NIST Cyber Security Framework - Security Magazine

    Information Security Forum explores the risks and challenges of open source software

    See More
  • Red fibers

    Open source software vulnerabilities found in 86% of codebases

    See More
  • programming-cyber-freepik.jpg

    Let’s help developers address open source software security

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing